MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8704c0b6842fd04928290c56a7cacb70e920c1af0ebad2bc981d5005345377b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8704c0b6842fd04928290c56a7cacb70e920c1af0ebad2bc981d5005345377b8
SHA3-384 hash: b5cf2db3d7449932b9bab2cf60793d2cfc553d6ab5a9bc7854847dc0f65cd3b96052dc5387927129405a4be5918b6c5a
SHA1 hash: 8801c82e95d5d5ab2c87e81b6b7768142df957f3
MD5 hash: c4753d4efda428971afd33ec13a00e9b
humanhash: sink-mississippi-louisiana-leopard
File name:c4753d4efda428971afd33ec13a00e9b.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:257'536 bytes
First seen:2022-04-06 06:11:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4015140a4b9194b9643a2e5ad5a6ffac (4 x Stop, 1 x RedLineStealer)
ssdeep 6144:rpWD21e7aRcIcQylq16YQvZ4y40rTWWotwr64U:rpWAOkcIcQcq1sx4y4Uotwr6
Threatray 4'456 similar samples on MalwareBazaar
TLSH T139447D00BB90C035F5B716F499BA93AC793E79A15B3491CB62E51BED5A346E4EC3030B
File icon (PE):PE icon
dhash icon badacabecee6baa6 (95 x Stop, 87 x RedLineStealer, 62 x Smoke Loader)
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
5.45.77.29:41494

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.45.77.29:41494 https://threatfox.abuse.ch/ioc/516066/

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261163/
Detection(s):
Win.Packed.Ransomx-9942692-0
Create hunting rule

Win.Dropper.Tofsee-9942707-0
Create hunting rule

Win.Dropper.Tofsee-9942708-0
Create hunting rule

Win.Packed.Pwsx-9943145-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Sending an HTTP POST request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/12785/overview
Behaviour
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult greyware mokes packed pandora ransomware
Link:
https://www.filescan.io/uploads/624d2f3440ce5db9f417bf77/reports/5a87001d-1566-41e1-8d0d-5261a8b7bfaf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5d97047b-ccc4-452a-a804-6e5bb9b92c56
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/971319
Signature
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 603806 Sample: VtYhzoyB4v.exe Startdate: 06/04/2022 Architecture: WINDOWS Score: 100 21 gerer.at 2->21 29 Multi AV Scanner detection for domain / URL 2->29 31 Found malware configuration 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 3 other signatures 2->35 7 VtYhzoyB4v.exe 2->7         started        10 cdtwwud 2->10         started        signatures3 process4 signatures5 37 Detected unpacking (changes PE section rights) 7->37 39 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 7->39 41 Maps a DLL or memory area into another process 7->41 43 Creates a thread in another existing process (thread injection) 7->43 12 explorer.exe 2 7->12 injected 45 Multi AV Scanner detection for dropped file 10->45 47 Machine Learning detection for dropped file 10->47 49 Checks if the current machine is a virtual machine (disk enumeration) 10->49 process6 dnsIp7 23 gerer.at 195.158.3.162, 49770, 49778, 49780 BRM-ASUZ Uzbekistan 12->23 25 181.31.125.253, 49876, 80 TelecomArgentinaSAAR Argentina 12->25 27 3 other IPs or domains 12->27 17 C:\Users\user\AppData\Roaming\cdtwwud, PE32 12->17 dropped 19 C:\Users\user\...\cdtwwud:Zone.Identifier, ASCII 12->19 dropped 51 System process connects to network (likely due to code injection or exploit) 12->51 53 Benign windows process drops PE files 12->53 55 Deletes itself after installation 12->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->57 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8704c0b6842fd04928290c56a7cacb70e920c1af0ebad2bc981d5005345377b8/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-04-01 16:45:33 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
34 of 42 (80.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4cmbnuef7ieskbjbrlkpswlodusbqnpb25nfpeydviakncto64a._file
Verdict:
malicious
Similar samples:
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
RedLineStealer
849beb1413d9750e1bad8a3758dc87053d47fe5cba1528723414c918625e6d27
RedLineStealer
8999c280aca7419a8b6fe0be172723fb66f18fc1439fb2ffa463d9315b79535d
RedLineStealer
a30a63ed80fbb773fef1d1e92d3d51a049e1b3ef79036ab064efa6d98502b824
RedLineStealer
f555d9e1f8a5f8f11db6c9e22262e2cf4e7b42b8f04d6c12423573394b1d78da
RedLineStealer
f80be7705daaced45f4fdd7c1b612dc249d5edd442927c116c4cf39d33728065
RedLineStealer
+ 4'446 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/220406-gx614abbe4/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
SmokeLoader
Malware Config
C2 Extraction:
http://gerer.at/upload/
http://pass-finger.com/upload/
http://meet-ru.ru/upload/
http://elroisolutions.com/upload/
http://gebzetuning.com/upload/
http://les-pub.com/upload/
http://mordo.ru/upload/
http://pkodev.net/upload/
http://autocarsjames.com/upload/
Unpacked files
SH256 hash:
af1ed8bc92f9ac26980e6ee5eb06a3cbaf1f0e90b55cf232979b3ae0c2cb521d
MD5 hash:
d7eb5c5999dbf529fae1e968a5bc7d1f
SHA1 hash:
a12a198153a73f97c259be4fef60fa907e950e60
Link:
https://www.unpac.me/results/56a58e67-00f6-4aa5-959e-ab534361d3b5/
SH256 hash:
8704c0b6842fd04928290c56a7cacb70e920c1af0ebad2bc981d5005345377b8
MD5 hash:
c4753d4efda428971afd33ec13a00e9b
SHA1 hash:
8801c82e95d5d5ab2c87e81b6b7768142df957f3
Link:
https://www.unpac.me/results/56a58e67-00f6-4aa5-959e-ab534361d3b5/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8704c0b6842f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8704c0b6842fd04928290c56a7cacb70e920c1af0ebad2bc981d5005345377b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/261163/

Comments